Have you ever felt that the security problems you're faced with would be so simple to solve if only your colleagues had your perspective on them? Are you frustrated that security does not have a more prominent seat at the table?
Often times identifying security problems and developing the appropriate controls is the easiest part of the security job. Getting our peers and superiors to buy-in to those solutions and understand the risk decisions they're making is an under-appreciated but arguably much more important part of our jobs in security.
Chris and Jack will share techniques that help to turn your employees into an army of human security sensors, to get security done regardless of where it sits on the org chart, and to earn major security victories even with a meager budget and a small team. Along the way you’ll learn about the “10 Critical Habits” which we have observed effective security leaders using to achieve their goals.
Have you ever felt that the security problems you're faced with would be so simple to solve if only your colleagues had your perspective on them? Are you frustrated that security does not have a more prominent seat at the table?
Often times identifying security problems and developing the appropriate controls is the easiest part of the security job. Getting our peers and superiors to buy-in to those solutions and understand the risk decisions they're making is an under-appreciated but arguably much more important part of our jobs in security.
Chris and Jack will share techniques that help to turn your employees into an army of human security sensors, to get security done regardless of where it sits on the org chart, and to earn major security victories even with a meager budget and a small team. Along the way you’ll learn about the “10 Critical Habits” which we have observed effective security leaders using to achieve their goals.
Bill Lisse - Communicating Security Across the C-Suitecentralohioissa
CISO's are increasingly being included in Board and Executive discussions. Skills for developing CISOs need to include soft skills, including the ability to communicate across the executive table. This presentation is about the sell versus the tell.
Deral Heiland - Fail Now So I Don't Fail Latercentralohioissa
With network data breaches being reported weekly, it appears our implementation of prevention solutions is failing. With the average time to detect a breach being greater than 6 months our detection solutions also appear to be failing. Maybe these solutions and technologies are working correctly and we are just not training our teams how to manage, maintain, and leverage those solutions effectively. In this presentation I will be discussing security testing and validation methodologies that includes Internal/external pentesting, social engineering, and red team/blue team exercises. In addition I will be covering how using these methodologies we can better prepare and build a more robust security environment that will keep your organization off the front page.
Tre Smith - From Decision to Implementation: Who's On First?centralohioissa
This presentation will explore tactics to improve organizational control implementations that meet the spirit of organizational risk decisions. An approach that may help to improve the time it takes to see organizational policy reflected in everyday workplace practice and technologies. Starting with clarifying “Who’s On First?”
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...centralohioissa
Securing an enterprise is never easy, especially if the organizations culture and orthodoxy does not accept change easily. Covering lessons learned from the perspective of an information security practitioner who has spent her career building security programs, we will look at the lessons learned on challenges and opportunities associated with implementing an information security program, addressing technical, security and business risks.
Discussion that was held at RSA on the five steps CISO's can use to assess their enterprise security program and architect one that meets the organizations objectives and reduces its exposure to risk.
10 Questions Every Company Should Be Asking Itself About its Business ResilienceMichael Bowers
While no company can anticipate every risk, having risk management policies in place can help mitigate disruptions to business operations. The document outlines 10 questions every business should consider regarding its risk posture and resilience, such as how it would respond to a disaster, whether it has accurate data inventories, and who is responsible for managing threats. It advises that the first steps in improving risk management are to assess the current state, communicate a risk plan to employees, and strengthen internal processes like cybersecurity and data tracking to lower vulnerabilities.
- The document outlines a roadmap for a CISO's first 100 days in a new role. It discusses assessing the organization's security posture, planning security strategy and goals, and taking initial actions like redefining teams. Key steps include preparing for day one, assessing people and processes, planning strategy and a 2-3 year roadmap, acting on projects and technology selection, and measuring program impact and providing executive reports. The roadmap is meant to help a new CISO gain insight, define a security vision, and show early progress and wins.
Big data security in the cloud poses challenges for organizations. While new technologies like big data analytics promise improved threat detection, they also have limitations and skills gaps. All organizations face a variety of cybersecurity threats, from state-sponsored actors to competitors to insiders, and prevention through approaches like signatures, rules, and threat intelligence can only do so much. Effectively leveraging security tools and sharing intelligence is needed to tackle evolving threats in an efficient manner.
Bill Lisse - Communicating Security Across the C-Suitecentralohioissa
CISO's are increasingly being included in Board and Executive discussions. Skills for developing CISOs need to include soft skills, including the ability to communicate across the executive table. This presentation is about the sell versus the tell.
Deral Heiland - Fail Now So I Don't Fail Latercentralohioissa
With network data breaches being reported weekly, it appears our implementation of prevention solutions is failing. With the average time to detect a breach being greater than 6 months our detection solutions also appear to be failing. Maybe these solutions and technologies are working correctly and we are just not training our teams how to manage, maintain, and leverage those solutions effectively. In this presentation I will be discussing security testing and validation methodologies that includes Internal/external pentesting, social engineering, and red team/blue team exercises. In addition I will be covering how using these methodologies we can better prepare and build a more robust security environment that will keep your organization off the front page.
Tre Smith - From Decision to Implementation: Who's On First?centralohioissa
This presentation will explore tactics to improve organizational control implementations that meet the spirit of organizational risk decisions. An approach that may help to improve the time it takes to see organizational policy reflected in everyday workplace practice and technologies. Starting with clarifying “Who’s On First?”
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...centralohioissa
Securing an enterprise is never easy, especially if the organizations culture and orthodoxy does not accept change easily. Covering lessons learned from the perspective of an information security practitioner who has spent her career building security programs, we will look at the lessons learned on challenges and opportunities associated with implementing an information security program, addressing technical, security and business risks.
Discussion that was held at RSA on the five steps CISO's can use to assess their enterprise security program and architect one that meets the organizations objectives and reduces its exposure to risk.
10 Questions Every Company Should Be Asking Itself About its Business ResilienceMichael Bowers
While no company can anticipate every risk, having risk management policies in place can help mitigate disruptions to business operations. The document outlines 10 questions every business should consider regarding its risk posture and resilience, such as how it would respond to a disaster, whether it has accurate data inventories, and who is responsible for managing threats. It advises that the first steps in improving risk management are to assess the current state, communicate a risk plan to employees, and strengthen internal processes like cybersecurity and data tracking to lower vulnerabilities.
- The document outlines a roadmap for a CISO's first 100 days in a new role. It discusses assessing the organization's security posture, planning security strategy and goals, and taking initial actions like redefining teams. Key steps include preparing for day one, assessing people and processes, planning strategy and a 2-3 year roadmap, acting on projects and technology selection, and measuring program impact and providing executive reports. The roadmap is meant to help a new CISO gain insight, define a security vision, and show early progress and wins.
Big data security in the cloud poses challenges for organizations. While new technologies like big data analytics promise improved threat detection, they also have limitations and skills gaps. All organizations face a variety of cybersecurity threats, from state-sponsored actors to competitors to insiders, and prevention through approaches like signatures, rules, and threat intelligence can only do so much. Effectively leveraging security tools and sharing intelligence is needed to tackle evolving threats in an efficient manner.
This is a presentation I delivered to lawyers attending the Alberta Law Conference. It's was very conceptual in nature, focusing on some of the broader forces affecting employers and employees. The two topics of substance are "information governance" and social media misuse.
The document provides 10 tips for managing a data security incident from a breach practitioner. The tips are to initiate response immediately, don't make assumptions but find facts, keep investigating and progressing the response, don't rush public statements but strive for 90% confidence, obtain objective external input, get technical forensic help if needed, take a broad view of notification, consider the perspective of affected individuals, demonstrate commitment to improvements, and issue an apology from a senior spokesperson.
This document discusses data and cyber security risks and best practices for protection and response. It notes several high-profile data breaches from 2012-2015 involving lost hard drives containing personal information, unauthorized access to medical records, a medical marijuana mailing error, and a payment card theft. It examines potential legal issues for organizations when data is lost or accessed without authorization. The document also outlines an incident response process and best practices for timing, analysis, and communication in response to a data security incident.
This document summarizes recent legal developments regarding privacy risks, incidents, and liability in Canada. It discusses amendments to PIPEDA and PHIPA that expand requirements for breach notification. It also notes a court case, Hopkins v Kay, that suggests actual harm is not required for privacy claims. Additionally, it covers two class action cases, Evans and Condon, that were certified regarding data breaches. The certification in Condon was notable as it allowed for intentional intrusion claims over lost data where no harm was proven.
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
Threat intelligence needs to be in a language the business understands. SurfWatch Labs can help connect cyber threat intelligence to business operations in order to help manage cyber risk.
A summary of the common, surprising, and concerning lessons learned from our validation meetings during the start up phase of our company.
The research is completely subjective, but represents common issues expressed regardless of industry, size, complexity, or perceived maturity.
Advantage ppt data breaches km approved - final (djm notes)Dan Michaluk
This document discusses how to properly respond to data breaches. It emphasizes the importance of having a formal, written incident response plan in place due to how time-sensitive breaches are and how organizations can behave unpredictably in a crisis. The plan should include roles and processes for identification, escalation, assessment, containment, investigation, and managing liability. It also recommends retaining IT forensics and legal experts in advance. Practicing the plan through fire drills can help identify flaws and improve response skills. When notifying individuals of a breach, organizations should explain what happened, containment steps, and provide contact information for support.
The Perimeter within Modern Business - does it exist?ZoneFox
Cybersecurity trends come and go, but machine learning looks to be here to stay. According to a recent survey, 43% of of data breaches in recent years were caused by employees, contractors or suppliers, either negligently or maliciously. How can enterprises protect against the insider threat?
Security Program Development for the Hipster CompanyPriyanka Aash
Cloud services have evolved and can now replace nearly every facet of traditional infrastructure. This movement has enabled rapid scale while introducing a considerable element of risk. This session will discuss a framework for getting started building a security program in an organization that is built purely on cloud services, covering the contradictions and opportunities of that business model.
(Source: RSA USA 2016-San Francisco)
The document provides guidance from Jack Nichelson, Director of Infrastructure & Security at Chart Industries, on creating a results-oriented culture. Some of the key points discussed include:
- Leaders must take ownership of problems and focus on influencing factors within their control rather than blaming external factors.
- It is important to understand stakeholders, begin with defining desired outcomes, and create problem statements to guide goal-setting and planning.
- Metrics and visualization tools can help monitor performance, identify issues, and guide process improvements. Regularly adjusting approaches based on data is important for progress.
- Prioritizing important tasks over just urgent ones, managing time effectively, and collaborating with empathy are also advised for achieving
This document provides guidance on making the right technology investment decisions by balancing risk and debt. It discusses calculating your existing technology debt, questions to ask suppliers, and how to make technology decisions. Key aspects covered include understanding when decisions to delay upgrades incur debt, assessing the "interest rate" of that debt, and classifying risk based on a technology's readiness level. The document emphasizes that technology decisions ultimately depend on building trust with suppliers.
Privacy Breaches - The Private Sector Perspectivecanadianlawyer
Discusses issues that arise in organizations when faced with a privacy breach. Compares attitude and approach of organizations with those of privacy regulators.
This document summarizes a continuing education conference for accounting, finance, and human resources professionals on technology updates for 2011. The conference will cover topics including cloud computing, security best practices, disaster recovery plans, and how to effectively use social media for business. The presenter will discuss what cloud computing really means, current security threats facing businesses, how to safeguard mission critical data through disaster recovery plans, and how to establish social media policies for business collaboration. The conference aims to bring professionals up to date on important technology topics and best practices.
This document advertises a cybersecurity conference for financial institutions to be held in Singapore on March 9-11, 2015. The conference will address growing cyber threats and regulatory changes, and feature presentations from industry experts on topics such as enhancing security frameworks, managing risks from BYOD, leveraging cyber intelligence, and developing cyber risk professionals. A half-day workshop on March 11 will focus on tools and techniques for cyber intelligence and analytics to build cyber resilience. The event aims to provide insights and best practices for financial organizations to mitigate cybersecurity risks through analytical, governance, and algorithmic frameworks.
Cloud based IT services are touted as a big money saver. They offer flexibility and scalability, enabling users to pool and allocate IT resources as needed by using a minimum amount of physical IT infrastructure to service demand. Cloud based IT services also offer the convenience of being able to work remotely and access data from anywhere in the world.
Sometimes businesses move to the cloud too fast, and fail to conduct a rigorous risk analysis and evaluation of its return on investment. When planning a cloud deployment it pays to look past the hype and to compare the trade-offs between the different types of cloud environments.
The kickstarter to measuring what matters Evanta CISO 2017Jack Nichelson
Does counting the number of intrusions a firewall blocked in a month really justify the capital spend on security projects? What kind of operational data demonstrates cybersecurity leaders’ long-term budgetary needs for their programs and at the same time shows the progress they’ve made over the years? Learn how a duo of cybersecurity professionals used thought leadership and a goals-based approach to build the case for past capital and future spend — a system that won them both dollars and trust with peers and their boards.
The document provides guidance from Jack Nichelson, Director of Infrastructure & Security at Chart Industries, on creating a results-oriented culture. Some of the key points discussed include:
- Taking ownership of problems and focusing on influencing outcomes rather than making excuses. Effective leadership requires improving one's own skills and enabling the team.
- Beginning with defining practical outcomes and creating a problem statement to provide goals and plans. It is also important to prioritize tasks and focus on initiatives that provide the biggest returns.
- Understanding stakeholders and their needs in order to solve the right problems. Customer service is important and security should help others accomplish their work safely.
- Being proactive through self-management, setting goals,
10 Critical Habits of Effective Security ManagersJack Nichelson
How to Secure Things & Influence People:
10 Critical Habits of Effective Security Managers
Have you ever felt that the security problems you're faced with would be so simple to solve if only your colleagues had your perspective on them? Are you frustrated that security does not have a more prominent seat at the table?
Often times identifying security problems and developing the appropriate controls is the easiest part of the security job. Getting our peers and superiors to buy-in to those solutions and understand the risk decisions they're making is an under-appreciated but arguably much more important part of our jobs in security.
Chris and Jack will share techniques that help to turn your employees into an army of human security sensors, to get security done regardless of where it sits on the org chart, and to earn major security victories even with a meager budget and a small team. Along the way you’ll learn about the “10 Critical Habits” which we have observed effective security leaders using to achieve their goals.
This is a presentation I delivered to lawyers attending the Alberta Law Conference. It's was very conceptual in nature, focusing on some of the broader forces affecting employers and employees. The two topics of substance are "information governance" and social media misuse.
The document provides 10 tips for managing a data security incident from a breach practitioner. The tips are to initiate response immediately, don't make assumptions but find facts, keep investigating and progressing the response, don't rush public statements but strive for 90% confidence, obtain objective external input, get technical forensic help if needed, take a broad view of notification, consider the perspective of affected individuals, demonstrate commitment to improvements, and issue an apology from a senior spokesperson.
This document discusses data and cyber security risks and best practices for protection and response. It notes several high-profile data breaches from 2012-2015 involving lost hard drives containing personal information, unauthorized access to medical records, a medical marijuana mailing error, and a payment card theft. It examines potential legal issues for organizations when data is lost or accessed without authorization. The document also outlines an incident response process and best practices for timing, analysis, and communication in response to a data security incident.
This document summarizes recent legal developments regarding privacy risks, incidents, and liability in Canada. It discusses amendments to PIPEDA and PHIPA that expand requirements for breach notification. It also notes a court case, Hopkins v Kay, that suggests actual harm is not required for privacy claims. Additionally, it covers two class action cases, Evans and Condon, that were certified regarding data breaches. The certification in Condon was notable as it allowed for intentional intrusion claims over lost data where no harm was proven.
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
Threat intelligence needs to be in a language the business understands. SurfWatch Labs can help connect cyber threat intelligence to business operations in order to help manage cyber risk.
A summary of the common, surprising, and concerning lessons learned from our validation meetings during the start up phase of our company.
The research is completely subjective, but represents common issues expressed regardless of industry, size, complexity, or perceived maturity.
Advantage ppt data breaches km approved - final (djm notes)Dan Michaluk
This document discusses how to properly respond to data breaches. It emphasizes the importance of having a formal, written incident response plan in place due to how time-sensitive breaches are and how organizations can behave unpredictably in a crisis. The plan should include roles and processes for identification, escalation, assessment, containment, investigation, and managing liability. It also recommends retaining IT forensics and legal experts in advance. Practicing the plan through fire drills can help identify flaws and improve response skills. When notifying individuals of a breach, organizations should explain what happened, containment steps, and provide contact information for support.
The Perimeter within Modern Business - does it exist?ZoneFox
Cybersecurity trends come and go, but machine learning looks to be here to stay. According to a recent survey, 43% of of data breaches in recent years were caused by employees, contractors or suppliers, either negligently or maliciously. How can enterprises protect against the insider threat?
Security Program Development for the Hipster CompanyPriyanka Aash
Cloud services have evolved and can now replace nearly every facet of traditional infrastructure. This movement has enabled rapid scale while introducing a considerable element of risk. This session will discuss a framework for getting started building a security program in an organization that is built purely on cloud services, covering the contradictions and opportunities of that business model.
(Source: RSA USA 2016-San Francisco)
The document provides guidance from Jack Nichelson, Director of Infrastructure & Security at Chart Industries, on creating a results-oriented culture. Some of the key points discussed include:
- Leaders must take ownership of problems and focus on influencing factors within their control rather than blaming external factors.
- It is important to understand stakeholders, begin with defining desired outcomes, and create problem statements to guide goal-setting and planning.
- Metrics and visualization tools can help monitor performance, identify issues, and guide process improvements. Regularly adjusting approaches based on data is important for progress.
- Prioritizing important tasks over just urgent ones, managing time effectively, and collaborating with empathy are also advised for achieving
This document provides guidance on making the right technology investment decisions by balancing risk and debt. It discusses calculating your existing technology debt, questions to ask suppliers, and how to make technology decisions. Key aspects covered include understanding when decisions to delay upgrades incur debt, assessing the "interest rate" of that debt, and classifying risk based on a technology's readiness level. The document emphasizes that technology decisions ultimately depend on building trust with suppliers.
Privacy Breaches - The Private Sector Perspectivecanadianlawyer
Discusses issues that arise in organizations when faced with a privacy breach. Compares attitude and approach of organizations with those of privacy regulators.
This document summarizes a continuing education conference for accounting, finance, and human resources professionals on technology updates for 2011. The conference will cover topics including cloud computing, security best practices, disaster recovery plans, and how to effectively use social media for business. The presenter will discuss what cloud computing really means, current security threats facing businesses, how to safeguard mission critical data through disaster recovery plans, and how to establish social media policies for business collaboration. The conference aims to bring professionals up to date on important technology topics and best practices.
This document advertises a cybersecurity conference for financial institutions to be held in Singapore on March 9-11, 2015. The conference will address growing cyber threats and regulatory changes, and feature presentations from industry experts on topics such as enhancing security frameworks, managing risks from BYOD, leveraging cyber intelligence, and developing cyber risk professionals. A half-day workshop on March 11 will focus on tools and techniques for cyber intelligence and analytics to build cyber resilience. The event aims to provide insights and best practices for financial organizations to mitigate cybersecurity risks through analytical, governance, and algorithmic frameworks.
Cloud based IT services are touted as a big money saver. They offer flexibility and scalability, enabling users to pool and allocate IT resources as needed by using a minimum amount of physical IT infrastructure to service demand. Cloud based IT services also offer the convenience of being able to work remotely and access data from anywhere in the world.
Sometimes businesses move to the cloud too fast, and fail to conduct a rigorous risk analysis and evaluation of its return on investment. When planning a cloud deployment it pays to look past the hype and to compare the trade-offs between the different types of cloud environments.
The kickstarter to measuring what matters Evanta CISO 2017Jack Nichelson
Does counting the number of intrusions a firewall blocked in a month really justify the capital spend on security projects? What kind of operational data demonstrates cybersecurity leaders’ long-term budgetary needs for their programs and at the same time shows the progress they’ve made over the years? Learn how a duo of cybersecurity professionals used thought leadership and a goals-based approach to build the case for past capital and future spend — a system that won them both dollars and trust with peers and their boards.
The document provides guidance from Jack Nichelson, Director of Infrastructure & Security at Chart Industries, on creating a results-oriented culture. Some of the key points discussed include:
- Taking ownership of problems and focusing on influencing outcomes rather than making excuses. Effective leadership requires improving one's own skills and enabling the team.
- Beginning with defining practical outcomes and creating a problem statement to provide goals and plans. It is also important to prioritize tasks and focus on initiatives that provide the biggest returns.
- Understanding stakeholders and their needs in order to solve the right problems. Customer service is important and security should help others accomplish their work safely.
- Being proactive through self-management, setting goals,
10 Critical Habits of Effective Security ManagersJack Nichelson
How to Secure Things & Influence People:
10 Critical Habits of Effective Security Managers
Have you ever felt that the security problems you're faced with would be so simple to solve if only your colleagues had your perspective on them? Are you frustrated that security does not have a more prominent seat at the table?
Often times identifying security problems and developing the appropriate controls is the easiest part of the security job. Getting our peers and superiors to buy-in to those solutions and understand the risk decisions they're making is an under-appreciated but arguably much more important part of our jobs in security.
Chris and Jack will share techniques that help to turn your employees into an army of human security sensors, to get security done regardless of where it sits on the org chart, and to earn major security victories even with a meager budget and a small team. Along the way you’ll learn about the “10 Critical Habits” which we have observed effective security leaders using to achieve their goals.
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
The document discusses how to build an effective security awareness program by empowering and engaging employees rather than intimidating them. It advocates treating employees as "cyber warriors" rather than victims by providing them with the right information and tools to help defend the organization from cyber threats. Some key points made include: focusing on employee engagement; using "nudging" tactics rather than scare tactics to motivate better security behaviors; tailoring the message to different audiences; and measuring the impact of the program through before-and-after baselines. The goal is to change employee mindsets around security and turn intimidated, confused workers into empowered protectors of organizational data and systems.
This webinar discussed effective communication techniques for project managers. It emphasized that while functional tools like selecting the right communication medium are important, good communication form through dialogue, active listening, and being present are also critical. The webinar provided tips for defining problems clearly with stakeholders, overcoming obstacles to communication, and managing discomfort during challenging exchanges. The goal was to help project managers improve their most important skill of communicating across diverse project teams.
1.5 Pages are required
You have been hired as a security specialist by a company to provide methods and recommendations to create a more secure environment for company data.
Write a 1- to 2-page recommendation paper outlining methods the company should consider to protect access to data, including recommendations for policies to be enacted that will increase data security.
Submit your assignment using the Assignment Files tab.
Security Policies
Investing time and money needed to work on developing security policies to better protect information systems is a crucial aspect of business continuity, yet many companies attempt to cut corners and spend little time on this until a critical event occurs. In this scenario, data is compromised while key stakeholders begin to point fingers and blame others for lack of a solid security plan. Implementing security policies and procedures can increase data security thereby decreasing the threat of potential security breaches. This paper will highlight security policies that can help protect data and information systems.
Security Policy #1
The first recommended Security Policy to help protect access to data is to implement a requirements-based access control policy. Requirements-based access control helps specify the level of access a user has, and can control what he/she has access to. The easiest way of doing this for example, would be to create groups/group policies in Active Directory Domain Services that will specify the groups level of access. This way, when new employees are hired, once they are added in Active Directory, they can be assigned to the department or group they are in to have a basic level of access. Moving forward, a user can be modified to gain or have access removed on a user level, but will at least have a baseline of what they can access. This is a very important concept as this helps with keeping lower level users from accessing more confidential documents that they have no business accessing. The users will be able to login to the workstations by using a provided username and require that a complex passphrase be set up to gain access to the system.
Security Policy #2
To help better our data security, there will be limited access to the main server and equipment room. Access by key card will only be given to approved Network Engineers. This allows for better security rather than allowing all users with a card key the ability to access the room. Implementing a system that allows us to control user’s individual access to certain rooms from their card keys allows for better all-around security. This also helps prevent unauthorized users gaining access to rooms without a key card. Currently, the main server room remains unlocked during and after business hours. It is too accessible to unauthorized employees, visitors, vendors, and customers. While we do have video surveillance inside and outside of the building, the cameras currently do not record footage of any.
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 KeynoteVeracode
Christien Rioux's keynote presentation slides from BSidesLV 2013 explores how to build a better hacker manager.
Using his own career arch as a baseline Christien explores the evolution of how he became a hacker and transitioned into the management role he currently holds at Veracode.
We all encounter different crossroads in life and the one constant we can count on is change. In defining success it's important to; separate business and personal goals, understand the factors that influence these and study how we can make the best decisions to achieve our goals.
He breaks down the effects that hacker culture can have on companies and how many negative effects can also be turned positive. Finishing with his own Ten Commandments of Hacker Management, enjoy the presentation!
You can follow Christien on Twitter: @dildog
The document provides tips for IT security professionals to effectively communicate security risks to the board of directors. It advises understanding the board's risk tolerance, identifying who owns the risks, exploring risk management frameworks, focusing presentations on solutions rather than problems, and emphasizing how risks impact business operations and the bottom line. The overall goal is to reassure the board that the company is protected while gaining their trust and support for security initiatives.
The document discusses the core skills needed to be a trusted advisor: the ability to earn trust, give advice, and build relationships. It explains that trusted advisors value maintaining relationships over short-term gains. Building trust is a multi-stage process involving engaging with clients, listening to understand their needs, framing issues collaboratively, envisioning solutions together, and committing to agreed upon actions. Trusted advisors focus on understanding clients' perspectives and priorities rather than just providing rational solutions.
The document summarizes a presentation given to senior executives on decision making. It discusses how decision making is an important process that impacts organizations but is often not given careful thought. It outlines different types of decisions and models of decision making. It also presents a six step process for managerial decision making and emphasizes that properly defining the problem is the most important first step. Mathematical tools can help but qualitative approaches are better able to define problems and alternatives. The presentation aims to develop an effective "Super Strategy" approach to decision making.
How To Promote Security Awareness In Your Companydanielblander
The document discusses promoting security awareness at companies. It outlines objectives like making security relevant and easy to understand. It addresses common objections like programs being too expensive or employees not paying attention. The document recommends focusing on cultural change, empowering employees, and using various mediums like training, newsletters and contests to deliver ongoing security awareness messages. The overall goal is for employees to feel security enables and benefits them.
This document discusses using neuroscience and social selling techniques to improve sales effectiveness. It recommends learning the science behind how the brain responds to social engagement and content. Coaching from experts can help professionals overcome fears and learn proven methods. The document promotes practicing social selling skills using interactive tools that are intuitive and customizable. Case studies show how these neuroscience-based social selling approaches helped companies generate more qualified leads and sales at lower costs than traditional methods.
Seven steps to building a trusting workplaceIdoinspire
Seven steps are outlined to build a trusting workplace:
1. Focus on open communication and get employees talking safely and honestly.
2. Acknowledge problems like unpopular policies or low morale that employees may be quietly unhappy about.
3. Eliminate secrecy and ensure regular communication of information and plans to employees.
4. Only make commitments that can be followed through on, and communicate any changes openly.
5. Eliminate any ambiguous or unjustified behaviors.
6. Ensure management is consistent, predictable and trustworthy.
7. Value employee judgement and involve employees in solutions rather than just implementing rules.
This document outlines Monroe's Motivated Sequence, a five-step method for structuring persuasive presentations developed by Alan Monroe. The five steps are: 1) Get Attention, 2) Establish the Need, 3) Satisfy the Need, 4) Visualize the Future, and 5) Action/Actualization. For each step, examples are provided of how it could be applied to a workplace safety presentation. The summary emphasizes that Monroe's Motivated Sequence is a proven method for organizing presentations to maximize impact and motivation by first capturing attention, convincing of a problem, introducing a solution, envisioning outcomes, and calling to action.
This document outlines Monroe's Motivated Sequence, a five-step method for structuring persuasive presentations developed by Alan Monroe. The five steps are: 1) Get Attention, 2) Establish the Need, 3) Satisfy the Need, 4) Visualize the Future, and 5) Action/Actualization. For each step, examples are provided of how it could be applied to a workplace safety presentation. The summary emphasizes that Monroe's Motivated Sequence is a proven method for organizing presentations to maximize impact and motivation by first capturing attention, convincing of a problem, introducing a solution, envisioning outcomes, and calling to action.
Overcoming corporate resistance to social mediaEmma Hamer
This document summarizes a workshop on overcoming resistance to social media within corporations. It begins by outlining common excuses and skepticism from employees. It then discusses developing a strategy and securing leadership support. Tactics discussed include educating employees, starting small with volunteers, and sharing success stories. The document argues that social media is an opportunity, not a threat, and that involving champions and measuring results can help overcome resistance to change.
Similar to Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 Critical Habits of Effective Security Managers (20)
Mike Spaulding - Building an Application Security Programcentralohioissa
Application Security in many organizations is a simply a 'wish list' item, but with some staff and some training, AppSec can be a reality, even for a small organization. This talk will discuss the best practices, strategies and tactics, and resource planning to build an internal AppSec function - enterprise to 'mom & pop' operations will all benefit from this talk.
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...centralohioissa
In January, the FDA has draft recommendations for medical device security after the sale. Among other things, the recommendations tell manufacturers how to evaluate security risks, how to build a program for coordinated vulnerability disclosure program, and how to intake vulnerability reports from researchers. While the security of medical devices is especially important given the potential consequences, we can learn from the FDA recommendations regardless of our industry. Any recommendations adopted by the FDA for medical devices are likely to be implemented across other verticals for their IoT devices as well. Whether you manufacture, purchase, integrate, implement, or generally try to run away from IoT devices, there’s plenty to take away from this session while learning about the future of IoT device security.
Most boards of directors don't have someone that understands cyber security issues. As a consequence, they can't provide the proper oversight over the companies they are responsible for. This presentation will cover the issues boards of directors need to understand, what questions board members need to ask and how to communicate with them.
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
Corporate cybercrime is usually blamed on outsiders, but sometimes, your employees can represent the biggest threat to your organization’s IT security. In this presentation, Kaspersky Lab’s Mark Villinski, will provide practical advice for educating your employees about cybersecurity. Attend to learn:
• How to create efficient and effective security policies
• Overview and statistics of the current threat landscape
• The importance of keeping your employees updated about the latest threats and scams
• Security solutions that can help keep your systems updated and protected
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systemscentralohioissa
This document discusses the insecurity of physical access control systems (PACS). It begins by describing the typical components of a PACS, including access cards, readers, access control panels, and servers. It then explains that while physical and cyber security are converging, the physical security industry lacks the security maturity and culture of IT. Many PACS deployments are insecure due to vendor features lacking testing, heavy reliance on IT without understanding, and being deployed and forgotten. The document outlines various attack surfaces and exploits against access cards, readers, control panels and servers. It concludes by providing an example of how these attacks could be combined to take over an entire PACS.
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016centralohioissa
Key legal data security concerns for 2016; Privacy and security preparation; Vendor management; When and how to engage outside counsel & advisors; EU Privacy update; Sample enforcement actions.
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
In this session information will be presented on Third Party Risk Governance. The presenter will provide a better understand of the what’s, why’s and how’s of a Third Party Risk Governance program and provide some suggestions on sources for a program as well as some of the typical “gotchas”. This presentation will also provide common objections from the recipients of assessments and how to overcome those objections as well as discuss contract language that can be added to your products and services contracts.
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the Warcentralohioissa
In the spirit of Continuous Improvement, we must ask ourselves - Are we doing the best job we can? In this presentation Gary will present some ideas and concepts that can be used to improve the security posture within your organization. These ideas and concepts are not your typical solutions, rather they will force you to make a fundamental change in your approach to implementing security and underlying assumptions about good security practices. This presentation will challenge conventional thinking about how to build a successful security program. After all, what do you have to lose? Are we really winning the cybersecurity war?
By 2014, medical facilities nationwide implemented Electronic Health Records (EHR) as mandated by congress. Today, most of these systems are still using shared kiosk Windows accounts. This talk explores the risks of shared accounts, and alternatives that can provide much greater security and accountability, while maintaining ease of access.
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
The document discusses threat modeling as a process for secure software design. It begins with an introduction of the speaker, Robert Hurlbut, and his background. The presentation then discusses how threat modeling helps bridge gaps between different security roles and fits within the software development lifecycle. Key aspects of threat modeling covered include understanding the system, identifying potential threats, determining mitigations and risks. The document provides examples and questions to guide the threat modeling process.
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...centralohioissa
Disaster recovery, emergency response and business continuity plans are usually developed when no disaster exists. We think we’ve covered all contingencies. We think we’ve trained all the appropriate players. We’ve tested. We’ve re-tested. We think we’re ready to face whatever event there is looming out their with our name on it! The real world has a nasty habit of triggering disasters at the least opportune time, often featuring a twist that throws plans into disarray.
This presentation focuses on three real-world plans, each of which with a fatal flaw. We will discuss elements that should be in a plan beyond the normal guidance from the Disaster Recovery Institute (DRI) and a set of actions that should be included in planning and preparation.
Rafeeq Rehman - Breaking the Phishing Attack Chaincentralohioissa
Many security research reports show that phishing is significant contributing factor to data breaches. Verizon data breach investigations report (DBIR) shows that attackers used phishing as their entry point in two third of the security incidents, especially in cyber espionage category. Although the phenomenon of phishing is nothing new, the attackers are enhancing their techniques and using phishing more effectively.
The good news is that understanding the phishing attack chain helps in stopping these attacks, break the phishing chain, and avert a data breach. This session is to understand different phases of phishing attacks and developing a comprehensive strategy to manage risk associated with these attacks.
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNcentralohioissa
For the past several years, software-defined networking (SDN) has been a popular buzz word in the networking industry. In many ways, networking has always been defined by software. Software is pervasive within all of the technology that impacts our lives and networking is no different. However, networks have been constrained by the way software has been configured, delivered and managed—literally within a box, updated monolithically, managed through command lines that are reminiscent to the days of minicomputers and DOS in the 1980’s. Well, almost.
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
So exactly how do you integrate information security metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program.
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...centralohioissa
This document discusses security awareness training conducted by Michael Woolard. It provides links to security talks and presentations he has given. It then describes the organization he works for and security awareness events he held including Derbycon, Louisville InfoSec, and Bsides Las Vegas presentations. It outlines a Hack.Jam event for his company that included OWASP training, games, and a capture the flag competition. Feedback from the event was very positive with participants wanting to participate again next year. It concludes by mentioning the use of Kahoot for future security awareness training.
Ruben Melendez - Economically Justifying IT Security Initiativescentralohioissa
This presentation discusses frameworks for justifying IT security initiatives and demonstrating their business value. It introduces the Enterprise Value Creation (EVC) framework, which includes principles, stages, and enabling tools for dynamic, collaborative value management. The EVC framework advocates using a Business Value Plan approach rather than just a business case to proactively plan and track value realization over the initiative lifecycle. It provides examples of how tools like the EVC matrix and urgency analysis can be used to assess needs, risks, and pace of initiatives.
Ed McCabe - Putting the Intelligence back in Threat Intelligencecentralohioissa
What is Threat Intelligence? It's more than raw source feeds and technical information.
If you ask most vendors, they talk about their lists of "bad" IP addresses and domain names, which don't enable the business to make informed decisions on assessing risk and taking action; it lacks -- well, intelligence.
We'll cover what Threat Intelligence is, why analysis is an important factor and methods available to analyze raw data.
Ofer Maor - Security Automation in the SDLC - Real World Casescentralohioissa
How can we really automate secure coding? Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works? In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments. The talk will focus on three different organizations at different maturity levels and how security automation processes were applied and adapted to fit their development lifecycle.
The document discusses the technical infrastructure and cybersecurity measures in place for hosting large sporting events like the Super Bowl. It notes the large amounts of data (over 10 terabytes) transmitted over WiFi networks by tens of thousands of fans, and the complex monitoring required to detect cyber threats across hundreds of network interfaces and devices. While most traffic was normal, sophisticated attacks were still detected by dedicated security systems, highlighting the ongoing risks at mass gatherings and the importance of multilayered protection strategies.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
3. Chris Clymer
Director of Security Services for MRK
CISO for companies ranging from SMB’s to multi-
billion dollar corporations
Former board member for NEOISF & co-host of the
Security Justice podcast
Aspiring Ironman, amateur saberist
I collaborate with my peers to identify and effectively manage risks which
my clients are confronted with
4. Jack Nichelson
Director of Infrastructure & Security for Chart Industries.
Executive MBA from Baldwin-Wallace University
Recognized as one of the “People Who Made a Difference in
Security” by the SANS Institute and Received the CSO50
award for connecting security initiatives to business value.
Adviser for Baldwin Wallace’s, State winner Collegiate Cyber
Defense Competition (CCDC) team.
I defend my companies competitive advantage
by helping solve business problems through
technology to work faster and safer.
“Solving Problems, is my Passion”
5. Acknowledgements
Dennis Sommer, COO SecureState
Steve Hendricks, CMO RedIron
Steve Holt, CIO Chart Industries
David Hilmer, VP & CIO Graftech
Matt LoPiccolo, VP & CIO Swagelok
Chuck Norman, Sr. Mgr. Swagelok
Carl Kessler, VP & CIO First Federal
Matt Neely, Dir. Strategy SecureState
Rich Wildermuth, Manager PWC
Craig Shular, CEO GrafTech
Tom Wojnarowski, CIO RITA
Troy Thomas, SVP Wells Fargo
Erick Asmussen, VP & CFO
Jason Middaugh, Mgr. Cliffs
Special thanks to all of the mentors who have helped us through these lessons
6. The Ten Habits
Listening
Positivity
Know Your Stakeholders
Service
Just Say Maybe
Don’t be the Smartest Guy in
the Room
Keep it Simple
Execution
Walk the Talk
Self-Reflection
8. Habit I: Listening “Listen, Learn and Then Lead”
Leading by Listening – Desire to help others
High Emotional Intelligence (EQ) is key, you need to care about
everyone succeeding at personal & career goals
The day people stop bringing you problems is the day you
stop leading
Act decisively, be firm yet sensitive and empathetic
People want to be successful, so take the time to
listen, respect, be humble and then help them
reach their goals.
Your IQ got you in the door, your EQ will get you to the boardroom
9. Putting it into action “Good Leaders Ask Great Questions”
Listen to the total message
Prove your understanding by using nonverbal signals
Use open-ended questions & probes
Paraphrase what you hear and show understanding
Don’t just say “hi”, have a more personal conversation
Effective managers spend a good part of their workday
listening to other people and asking good questions.
Effective listening includes a four-step process to ensure
understanding:
11. Habit II: Positivity
Security is often fixated on finding the negatives: missing patches,
misconfigured systems. It becomes very easy to be Mr. Negativity
Security is often in a position of asking others for help, not dictating
to them
Who would you rather help…someone encouraging, or
discouraging?
Perpetual optimism is a force multiplier…if you provide positive
energy, those around you will be willing to work much harder
towards your goals
To motivate those around you to take action,
positivity will always trump negativity
“Perpetual Optimism is a Force Multiplier” – Colin Powell
12. Putting it into action
Aim to make “heroes” not “zeroes”
Actively look for ways to encourage and help your peers
Actively avoid “beating them up” with negativity
People want to be successful, help them accomplish their personal
goals
Have conversations to learn what their personal goals are
Find projects that will help them achieve these
If you have knowledge or connections that could help, share them
Using positivity to achieve your security goals takes
several steps:
14. Habit III: Know Your Stakeholders
Security is about a lot more than just you
You are taking actions to protect assets in the stewardship of
others
You are making choices which will impact the ways those
around you conduct their business
No one cares what you know until you show them how much
you care
To make stuff that matters, you have to know what
matters so work on solving the right problems.
15. Putting it into action
Identify stakeholders in your security program
This is anyone affected by what you are doing
Could be execs, IT, sales, marketing, manufacturing, customers…anyone
Learn what their drivers are, both personal & professional
“Know their pain”
Plan to have “The meeting before the meeting”
Meet with stakeholders individually before bringing them together for a
decision.
You’ll know the decision before the real meeting even happens
Effective managers take the time to identify stakeholders
and know their pain points.
17. Habit IV: Service
Security is a support role…your job is to help others safely do
the things that make your organization productive
You cannot do this job without help
Your employees are not subjects for you to dictate rules
to…they are your customers
If you treat them well, they will be your “army of human
sensors”, bringing you all kinds of useful intel, and helping to
enforce policies you’ve developed to protect them
We often focus on the problem and forget about the
customer. They will forget the problem you solved
before they forget how you made them feel.
18. Putting it into action
Know who your customers are
Aim to create “stark raving fans”
Make sure they feel comfortable
Make sure they feel “heard”
Create a positive feedback loop
To take care of your “customers”, keep the following
steps in mind:
20. Habit V: Just Say Maybe
Security has often been the Department of
“No”
Taking a hard stance as a “cyber policeman”
can seem to work…until you become
perceived as an obstacle
If you are an obstacle, process will begin to
be routed around you
Effective leadership requires compromise and empathy for the other person.
21. Putting it into action
Identify the core requirements (Yours & Theirs)
Facilitate a Risk vs. Reward conversation to balance security
Resist the urge to be a “cyber policeman.”
Empathize with other’s problems…but still be comfortable taking a
stand
Collaborate on the solution where everyone can win
Don’t take a hard line on a topic before you have
determined everyone's “must's” and “want’s”. This
approach will ensure clear commutation, fair compromise
and a better solution.
It’s OK to be uncomfortable with the results
23. Habit VI: Don’t Be the Smartest Guy in the Room
Many of us performed other IT roles before moving into security
This is often seen as a move “up”, which makes it easy to feel that
you know your peers jobs as well as your own
We also often feel that no one is qualified to do the challenging job
of security other than those of us currently charged with it
It is not your job to out-do or “call out” your peers
No one cares who came up with the idea, just that issues are
solved
To achieve results we need to build
partnerships, not demonstrate knowledge
24. Putting it into action
When in a meeting, listen more than you talk
Think very hard before speaking: are you contributing to the
discussion, or are you demonstrating your knowledge?
Make your goal finding the best solution for an identified problem…not
convincing everyone to accept your solution unchanged
Do not be afraid to let others fail…failure drives personal growth
To build strong partnerships with their peers, an
effective manager will strive to do the following in all of
their social interactions
26. Habit VII: Keep it Simple
Security is a complex field, characterized by the
convergence points between many others
It is your job to deal with this complexity, and distill it into
simple actions for your stakeholders
Their main job is something else…when you’re asking for
their help, you want it to be as simple and frictionless as
possible
Be on a mission to be results oriented
A quick win with a simple solution is better then holding your ground for
the elegant solution. Don’t let perfect become the enemy of good.
27. Putting it into action
Distill complex security problems into simple elevator pitches
you can easily convey to multiple layers of your organization
Hone and practice your message, you will be repeating it
often
Don’t become so invested in an elegant solution that you
lose sight of the original problem
Find quick wins that you can chain together into larger ones
“Fight the battles you can win” – Sun Tzu
29. Habit VIII: Execution
This may seem obvious, but you need to execute on your
plans
Because security is so dependent on others, its easy to
develop plans which are never executed…and place the
blame on others
We also often spend months, or years of long effort selling
our ideas. Once others finally become bought-in, it can feel
like the hard work is done
If you have a history of struggling with execution, others will
not want to support new projects…no matter how significant
the vulnerability you are addressing
Have a plan, and execute, execute, execute
30. Putting it into action
Once you have buy-in to security projects, have laser-focus on execution…you may not
get a second chance to try it
Security does not make your company money. If a project stumbles or impacts the bottom line
negatively, its easy to pull it out
Partner with others, but take responsibility for execution
Have a plan, follow it, measure your progress
Use a project manager if you can
You don’t know what you can get away with until you try it
Security managers who move from simply identifying problems to
achieving concrete results will typically follow these similar steps
32. Habit VIII: Walk the Talk
In security it’s easy to feel we’re an exception to some
of the rules
In some cases, we may actually need to be
As the “policeman” you must hold yourself to a higher
standard, because there’s often no one else to hold you
accountable
Follow the policies you set, or expect others to follow
your lead in ignoring them
You must lead by example, do not diminish
your authority by disrespecting your rules
33. Putting it into action
Maintain as few exceptions as possible, and be
sure you have a strong justification for each
Cracked down on admin rights? Give thought to
where you really need your own
Pushing standard server builds? Don’t maintain a
security system with a “special” build because you
don’t trust your server teams, or feel your
requirements are unique
Follow any policies you’ve set to the tee, and do
so visibly
35. Habit X: Self-Reflection
In security we are often perfectionists…accepting failures can be a
very difficult thing
Reality is, we will have them
Without awareness of your own strengths and weaknesses you will
fail to meet your own potential, and continue to be stymied by the
same obstacles
The most important person for you to manage effectively is
yourself. To grow personally and professionally you need
to know yourself before you can help others.
“Know the enemy and know yourself and you will never be defeated” – Sun Tzu
36. Putting it into action
Put a lot of thought into identifying your own areas of weakness
Have a plan for improving these
These will be iterative improvements over time, not one-time things
More about the journey then the destination…you will stumble along the
way
Work with a mentor
You need a second opinion on what your areas of weakness are
You also want someone to keep you honest in how you’re progressing
Self-reflection is a challenge. Effective managers will
follow these steps, repeat them often, and not be
discouraged when they stumble along the way
37. The Ten Habits
Listening
Positivity
Know Your Stakeholders
Service
Just Say Maybe
Don’t be the Smartest Guy in
the Room
Keep it Simple
Execution
Walk the Talk
Self-Reflection
38. References
You Don’t Need a Title to Be a Leader –
Mark Sanborn
Five Temptations of a CEO - Patrick M.
Lencioni
The Art of War for Managers – Gerald
Michaelson/Sun Tzu
The Sandler Sales Method – David H
Sandler
How to Win Friends and Influence People
– Dale Carnegie
Stephen Covey
The Fifth Discipline – Pete Senge
Leading Change – John Kotter
The Servant – James Hunter
The New Leaders 100 Day Action Plan –
George Bradt
Good To Great – Jim Collins
Crucial Conversations – Kerry Patterson
41. Networking
No time like the present to put your soft skills to work
Say hi to your neighbor…what can they teach you about this topic?
Editor's Notes
Have you ever felt that the security problems you're faced with would be so simple to solve if only your colleagues had your perspective on them? Are you frustrated that security does not have a more prominent seat at the table?
Often times identifying security problems and developing the appropriate controls is the easiest part of the security job. Getting our peers and superiors to buy-in to those solutions and understand the risk decisions they're making is an under-appreciated but arguably much more important part of our jobs in security.
Chris and Jack will share techniques that help to turn your employees into an army of human security sensors, to get security done regardless of where it sits on the org chart, and to earn major security victories even with a meager budget and a small team. Along the way you’ll learn about the “10 Critical Habits” which we have observed effective security leaders using to achieve their goals.
Chris kicks off
Why are we here – as we’ve moved through our careers, we’ve found that the technical problems are less and less of the challenge, and that soft skills seem to matter much more towards overall success in security. To better understand this ourselves, and to help our peers, we’ve spent the last several months having discussions with leaders across multiple
What are our goals – to deliver 10 “habits” that we identified during a series of conversations with leaders in and out of security. This group felt that these habits all contributed greatly towards accomplishing goals
Jack takes from here
Discuss interviews over last several months, presentation is aggregated from conversations with this entire group
These are the key lessons we have learned
Jack: If there is consensus among these leaders, it is that it all comes down to listening, learning—and then leading
Story: the listener becomes the “go-to” guy.
Cheerful, approachable, actively asking how you can help and taking the time to listen to everything
Jack is always invested in the success of those around him
Story: Jack’s old CIO on the phone so jack can solve the problem
Care about people
Jack: meeting a problem head on, in a crisis your words have great impact
Small acts of positivity build
You become what you think about, people around you become what you are
Jack: developing project charter & problem statement helped better understand who stakeholders were, and what matters to them
Shift from compliance to IP (actual business assets)
Jack: HR story. Sysadmin fixes her problem, but she didn’t feel heard, and did not understand the problem or solution
Jack: dropbox
Jack
Hand off to Chris
Chris – keeping mouth shut shows win…segment plan story. “pull” not a “push”
Not “my” projects, “our” projects
Chris: vulnerability management. Sharepoint site & Nessus versus enterprise VMP
Chris: scans, laid out a plan and followed it…prepped people to expect ugly findings, scans on Sunday mornings
Change orders in
Follow-up with employee on hiccups from scans
Noone took my gun away
Chris: take away your own local admin before others. “soft power”
How many of you have local admin yourself?
How many of you have passphrases?
This presentation germinated in a series of meetings with our mentors. Talking with external folks who’ve “been there before” gave tremendous perspective. Helped to see where we were falling down, and where despite resistance from our internal peers we were actually moving in the right direction. With security often being off on an island, this perspective can be hugely important.
Chris: Tri story. Needed to work on patience, picked an endurance sport, iterative improvement over time